Microsoft Sheds Light on Windows Hello Integration with Edge

The team behind Microsoft Edge recently explained how the browser works with Windows 10's "Windows Hello" feature to let users access Web sites without passwords.

Microsoft floated the idea of integration between Windows Hello and Edge during the keynote of its Build conference last month. Terry Myerson, executive vice president for the Windows and Devices Group, had suggested at that time that Edge soon would be only browser capable of enabling "secure and easy" biometric access across major Web sites.

Under this scheme, access is enabled using a PIN or a face or fingerprint scan, rather than by using a password. That approach is said to do away with the problem of having to use passwords, which are often easily guessed.

The Edge team on Tuesday explained a few more details about that idea in a blog post. Microsoft's Windows Hello biometric access method, currently available for Windows 10, is "natively" supported in the Edge browser, the team claimed. Moreover, Windows Hello is an "early implementation" of the Worldwide Web Consortium's (W3C's) Web Authentication specification that was first pioneered under the FIDO Alliance industry group. The Web Authentication spec is based on the FIDO 2.0 API.

Edge support for biometric authentication is still at an early stage right now. It's not really available for public testing. The Edge team showed off some of the server-side code that's used to carry out these user authentications, but the Edge browser currently varies somewhat from the W3C's developing Web Authentication spec that will support these biometric authentication schemes, according to Microsoft.

For instance, credential information has to be locally stored on client devices when not using passwords. If a user deletes their browsing history, then they have to register again using Windows Hello on the next log-in attempt. Microsoft's Edge team plans to "fix this issue in a future release."

Right now, the Edge team is looking for technical feedback on its APIs for enabling Windows Hello biometric verification in the Edge browser. There's not much there for the casual user to try out.

Moreover, it's not altogether clear when the W3C's Web Authentication spec will appear. It's all fairly new. The W3C announced the creation of the Web Authentication effort, based on FIDO 2.0, back in February.

The Edge team's announcement made a case for not using passwords. The new Web Authentication approach creates public and private keys, with the private key based on the device, so it's useless to a remote attacker. Moreover, the Windows Hello biometric approach obviates security issues like "password guessing, phishing, and keylogging," the team argued

Exactly when users will be able to implement Windows Hello authentication in the Edge browser seems pretty unclear at this point. The team didn't offer any estimates. In theory, as a general W3C recommendation, the authentication technology would be expected to be available to all browser makers, not just Microsoft.